Overview
MirrorIQ is a privacy-first Governance, Risk, and Compliance (GRC) platform built for cybersecurity practitioners and organizations working across multiple compliance frameworks. It covers multi-framework assessments (NIST CSF 2.0, NIST AI RMF, SOC 2 Type II, HIPAA, ISO 27001, PCI DSS, and more), an evidence repository, System Security Plan (SSP) generation for government compliance, and a structured auditor collaboration workspace.
The core differentiator is a zero-knowledge architecture: assessment data is encrypted client-side before it ever leaves the browser. The server stores only ciphertext and has no ability to decrypt it. This makes MirrorIQ viable for teams with strict data residency requirements and organizations that cannot afford to trust a SaaS vendor with raw compliance data.
My Role
As Senior Product Engineer at Akylade, I own MirrorIQ end-to-end: database schema, backend server actions, the full frontend across all subscription tiers, the encryption layer, and all third-party integrations. This includes the billing pipeline, authentication, infrastructure, and the enterprise multi-tenant system.
The Platform
MirrorIQ is organized around four pillars, each scoped to a distinct phase of a compliance engagement.
Assessment Engine
The core of the platform. Users work through controls across any supported framework, entering responses and implementation notes. The engine calculates maturity scores in real time, runs gap analysis against target baselines, and auto-generates a POA&M (Plan of Action and Milestones) for any unmet controls. Multi-stakeholder consensus tracking lets teams assign and reconcile responses across roles before finalizing an assessment.
Evidence Manager
A universal evidence repository with automatic control mapping across frameworks. Uploaded documents and artifacts carry quality scoring with a full audit trail on every change. Access is governed by a five-role permission model, so external reviewers can be scoped to only the evidence relevant to their engagement.
SSP Generator
Generates System Security Plans for government compliance submissions, supporting FedRAMP, CMMC, and StateRAMP baselines. Controls are authored inline and linked to evidence, with structured document export. A template manager lets teams maintain reusable sections across multiple SSPs without duplicating work.
Auditor Collaboration
Scoped workspaces for external auditor engagement. Auditors can request specific evidence, track findings, and issue remediation notes without accessing anything outside their assigned assessments. The audit trail is tamper-evident by design, and the workspace exports as a complete audit package.
Technical Deep Dive
Zero-Knowledge Encryption
The encryption model is built around one principle: the server should be architecturally incapable of reading user data, not just policy-restricted from doing so. Assessment data is encrypted in the browser before any write and decrypted locally after any read.
One non-obvious constraint here is key stability. Auth tokens carry session metadata that changes on every login, so deriving the encryption key directly from the full token would produce a different key each session, making previously encrypted data unreadable. The solution is to derive from the stable parts of the user's identity instead, combined with a per-user salt, so the key is reproducible across sessions without ever being stored.
Storage Adapter and Subscription Tier Architecture
MirrorIQ has four subscription tiers, each with a different storage mode, and the application layer should not need to branch on which one is active. A storage adapter pattern resolves the correct implementation at runtime.
This keeps the four pillars entirely decoupled from billing logic. Adding or changing a storage tier is a change to the adapter layer, not to any feature code. Local storage uses IndexedDB rather than the Web Storage API — the capacity difference is significant for large assessments, and the failure behavior in restricted browser contexts is explicit rather than silent.
Orchestrator: Cascading Calculations
A compliance assessment is not a static document. Changing a single control response can affect maturity scores, gap status, financial risk calculations, POA&M item states, and cloud persistence all at once. Without coordination, each feature would independently react to the same event and produce redundant or conflicting updates.
The orchestrator is a job queue that runs these stages in a fixed order with a debounce on the trigger. A single user action enqueues one job; after the debounce window, each stage runs sequentially with the output of one feeding into the next. POA&M items tied to newly-closed gaps are automatically resolved without any additional user action.
Tenant Ownership Model
In the enterprise tier, data is owned by the organization, not the individual user who created it. This distinction matters operationally: when someone leaves, their assessments and evidence stay with the team rather than being tied to a departing account. The data model separates the owning organization (immutable), the current admin contact (reassignable), and the original author (kept for audit trail only). This also makes permission scoping straightforward — access is granted through team membership, not individual record ownership.